topic Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client in General Topics

NAT Translation to web server in 4.1.2 when WAN in DHCP Client

mbehlok — Tue, 24 Jan 2012 07:45:31 GMT

Hello,

I have a PA-500 and need to setup some NAT Translation so external users can access some internal web and VMware View Servers in my lab.

Since my Ethernet1/1 (WAN) has to be setup as a DHCP Client, what do I use in the "Originating Packet" - "Destination Address"?

I was able to trick it by creating an address entry and specifying the IP I currently have, but if that changes, this NAT rule will not work until I change to the new address.

Is there a way to tell the unit to use whatever the IP is on the untrust zone?

Any help appreciated.

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

jdelio — Tue, 24 Jan 2012 21:20:24 GMT

That is referred to as Destination NAT (or Static NAT in the wild), we cannot point to DHCP interface IP addresses in destination NAT or address objects. As a workaround, we need to know what IP address we receive from the DHCP server and manually configure that IP address in our configurations.

1. Goto Objects->Addresses
2. Click Add, choose IP Netmask and type in the IP address of the DHCP interface.
3. Use this address object in your NAT configurations.

I hope this helps a little.

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

mbehlok — Wed, 25 Jan 2012 00:51:02 GMT

Thanks for the reply, I appreciate it.

I come from the Juniper world. On the SRX, if you are using DHCP on the WAN conenction, you basically specify the Destination-Address as 0.0.0.0/0 and it will use whatever ip address is assigned to teh WAN interface via DHCP.

Heres a snippet of my original Juniper SRX config (Which has been replaced by the PA-500)

Example of Destination NAT rule:

rule-set Incoming {

from zone untrust;

rule RDP_3389 {

match {

destination-address 0.0.0.0/0;

destination-port 3389;

Example of Security policy to allow RDP traffic in:

policy rdp-in-vmutils01 {

match {

source-address any;

destination-address vmutils01;

application RDP3389;

}

then {

allow;

log {

session-init;

session-close;

In this scenario, even if the wan ip changes, all destination NATs will still function provided I have Dynamic DNS configured correctly on my end.

Thanks again. Is there any way to add that as a feature request? and if so, whats the procedure?

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

torm — Wed, 25 Jan 2012 11:38:36 GMT

I've got the same setup on my PA-200. I have solved this problem by created an addess object with my dyn-dns address, and use that in my nat policy(as the orginal packet - destination address). Provided your pa has the serivce route for dns set correctly, this seems to be working fine.

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

jdelio — Thu, 26 Jan 2012 22:10:07 GMT

Also, for the record, in order to put in a Feature Request, you need to contact your reseller or local SE, and they can handle that for you.

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

npare — Fri, 27 Apr 2012 04:26:01 GMT

Thanks, that works really well.

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

nathan.houck — Fri, 16 Nov 2012 20:37:51 GMT

I can't believe there isn't an easy way to specify this in this product since both Cisco and Juniper support pointing to a DHCP address.